Hi Claus,
On 18/05/20 20:59, Claus Assmann wrote:
On Mon, May 18, 2020, Alexander Gryanko wrote:
[thanks for the hints, I will try that ASAP]
But first of all, check your cert type. Looks like you are using non-RSA
cert which is not supported by S8.
As I wrote: it works fine if I don't use TLSv1.3 or if I use openssl
s_client with TLSv1.3 (it is an RSA cert and I also tested against
another S8 server which uses a Let's Encrypt cert).
FWIW: adding TLS 1.3 support to my EAP-TLS code got me stumped for a
while as well. I eventually added up the following snippet:
/* Set up a SSL Session cache with a callback. This is needed for
TLSv1.3+.
* During the initial handshake the server signals to the client
early on
* that the handshake is finished, even before the client has sent its
* credentials to the server. The actual connection (and moment
that the
* client sends its credentials) only starts after the arrival of
the first
* session ticket. The 'ssl_new_session_cb' catches this ticket.
*/
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT |
SSL_SESS_CACHE_NO_INTERNAL_STORE);
SSL_CTX_sess_set_new_cb(ctx, ssl_new_session_cb);
with
int ssl_new_session_cb(SSL *s, SSL_SESSION *sess)
{
dbglog("EAP-TLS: Post-Handshake New Session Ticket arrived:");
/* always return success */
return 1;
}
This callback is necessary as otherwise the client thinks the session
handshake is done too soon (and in my case, it does not bother to send
any client-side certificate info to the server).
Perhaps you are seeing something similar? If not, then sorry for the noise.
HTH,
JJK / Jan Just Keijser
